Hardening Server Window

8/21/2019 Hardening Server Window

http://slidepdf.com/reader/full/hardening-server-window 1/32

Server hardening

Server hardening consists of creating a baseline for the security on your servers in yourorganization. The default configurations of a Windows Server 2003 computer are not designedwith security as the primary focus. Rather, a default installed computer is designed for

communication and functionality. To protect your servers, you must establish solid andsophisticated security policies for all types of servers in your organization.

In this section, we will discuss the basic security baseline for a member server that is running ina Windows Server 2003 Active Directory domain. We will also discuss the best-practice securityconfigurations in the security templates, starting with the generic best practices that apply tomost member servers in the organization. We will then move on to the specific types of memberservers, as well as domain controllers. We will discuss which services, ports, applications, and soforth need to be hardened for different server roles, and compare this to the baseline security forsimple member servers.

TABLE OF CONTENTS Member servers Domain controllers File and print servers Web servers

Member servers

You must establish a baseline of security for all members servers before creating additionalsecurity templates and policies to tailor security for specific types of servers. One of the mostimportant aspects of applying hardening settings to member servers is developing the OUhierarchy that will support the security template and policies that you develop. You must alsounderstand the various levels of security that are routinely used to develop and deploy security toall servers.

OU design considerations

The only way to efficiently and successfully deploy security to the different server roles in your

enterprise is to design Active Directory to support those roles. The design should not only provide an efficient method to deploy security, but it should also organize the computer accountsinto OUs for easier management and troubleshooting.

Although Active Directory design is extremely flexible, you must consider a number of factorswhen organizing servers into OUs based on server role. The first factor is Group Policyapplication. For example, if you have two server roles that each need different security policysettings, you should separate the computer accounts into different OUs. The second factor is

http://searchwindowsserver.techtarget.com/feature/Server-hardening#member


http://searchwindowsserver.techtarget.com/feature/Server-hardening#domain


http://searchwindowsserver.techtarget.com/feature/Server-hardening#fileprint


http://searchwindowsserver.techtarget.com/feature/Server-hardening#web








administration of the computer accounts within Active Directory. Even though you have onlytwo different server roles, you might have two different administrators controlling the same typeof server role. This might force you to have OUs not only for server roles, but also for serverroles based on the administrator in charge.

Figures 5-7 illustrates an OU structure that does not consider location or administrative needs butdoes consider server roles. Figure 5-8 illustrates an OU structure that has a different set ofadministrators for the Main Office and Branch Office, where each office also has the same typesof server roles.



Figure 5-7: An OU structure based on server roles only



Figure 5-8: An OU structure that considers location and administrative needs as well as

server roles

TIP OUs are also commonly organized by physical location -- for example, the Main Officeand Branch Office model. For more information on organizing OUs based on GPOdeployment, see Chapter 4.

Member server security environment levels

Member server security environments are based on the operating systems of the clients andservers in your enterprise. Legacy clients and servers can't take advantage of the robust featuresand functions that Active Directory provides, such as Group Policy, Kerberos, and other securityfeatures. As the operating systems of domain members rise to levels that support all ActiveDirectory functions and features, it becomes possible to raise the overall security for theenterprise and thus create a solid security environment.

There are three different security environment levels typically found in an enterpriseenvironment:

Legacy Client When you have a mixed operating system environment of new and olderversions, you must provide adequate security that will not constrain the operation oflegacy clients. This is the lowest security level, but it needs to be that way forcommunication to occur and legacy applications to work properly. This businessenvironment might include legacy clients such as Windows 95, Windows 98, orWindows NT 4.0 Workstation. You should limit this environment to having onlyWindows 2000 Server and Windows Server 2003 domain controllers. You should notsupport Windows NT 4.0 Server domain controllers, although you can have Windows NTServer computers configured as member servers.

Enterprise Client This security level removes the legacy operating systems and usesonly those that support the features and functions that Active Directory offers. Thisincludes clients running Windows 2000 Professional and Windows XP Professional.These clients all support Group Policy, Kerberos authentication, and new securityfeatures that the legacy clients don't support. The domain controllers must be Windows2000 Server or later. There will not be any Windows NT Server computers, even asmember servers.



High Security This security level is basically the same as for Enterprise Client -- itchanges only the level of security that is implemented. This level enhances securitystandards so that all computers conform to stringent security policies for both clients andservers. This environment might be constrictive enough that loss of functionality andmanageability occurs. However, this must be acceptable because the higher security

levels are a good tradeoff for the functionality and manageability that you are losing.

"Windows Server 2003 Security Guide" The three enterprise environments described earlier and the procedures outlined in this chapterfor hardening different server roles in each environment are discussed more fully in theWindows Server 2003 Security Guide. The Security Guide also includes a set of additionalsecurity templates that can be imported into GPOs to harden different server roles in legacyclient, enterprise client, and high security environments. It also includes additional procedures

for hardening security settings that cannot be configured using Group Policy. Using theseadditional security templates can simplify the hardening of different server roles on yournetwork, and you can further customize these security templates to meet the specific needs ofyour Active Directory environment.

Security settings for member servers

This section will cover some common security settings that apply to standard member servers inthe domain. These settings are best created in a GPO that is then linked to the top-level serverOU. In Figure 5-7 or 5-8, this would be the Member Servers OU.

Table 5-7 provides a full list of security settings for a member server.

NOTE Account Policies, which include Password Policy, Account Lockout Policy, andKerberos Policy, are not specified in the member servers security baseline outlined here. Thisis because Account Policies must be defined at the domain level in Active Directory, while themember servers security baseline is defined in GPOs linked to OUs where member servers arefound. For best practices concerning domain Account Policies, see "Account Policies" under"Sections of the Security Template" earlier in this chapter, and also refer to the WindowsServer 2003 Security Guide described in the "Windows Server 2003 Security Guide" sidebar.

Table 5-7 Security settings for member servers

Security Setting Legacy Client

Configuration Enterprise Client

Configuration High Security

Configuration

http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&DisplayLang=en





Auditing

Account LogonEvents

SuccessFailure

SuccessFailure

SuccessFailure

Account Management SuccessFailure SuccessFailure SuccessFailure

Directory ServiceAccess

SuccessFailure

SuccessFailure

SuccessFailure

Logon EventsSuccessFailure

SuccessFailure

SuccessFailure

Object AccessSuccessFailure

SuccessFailure

SuccessFailure

Policy Change Success Success Success

Privilege Use No Auditing FailureSuccessFailure

Process Tracking No Auditing No Auditing No Auditing

System Events Success Success Success




Configuration

User Rights

Access this computerfrom the network

Not Defined(Use defaults)

Not defined(Use defaults)

Administrators,AuthenticatedUsers

Act as part of the

operating system

Not Defined

(Use defaults)

Not defined

(Use defaults)

Revoke all security

groups andaccounts

Add workstationsto domain



Administrators

Adjust memoryquotas for a process



Administrators, NETWORKSERVICE,



LOCAL SERVICE

Allow log on locallyAdministrators,Backup Operators,Power Users

Administrators,Backup Operators,Power Users

Administrators,Backup Operators,Power Users

Allow log on throughTerminal Services

Administrators,Remote DesktopUsers

Administrators,Remote DesktopUsers

Administrators

Change thesystem time



Administrators

Debug programsRevoke all securitygroups andaccounts

Revoke all securitygroups andaccounts


Deny access to thiscomputer fromthe network

ANONYMOUS

LOGON; Built-inAdministrator,Guests;SUPPORT_388945a0;

Guest; all NON-Operating Systemservice accounts

ANONYMOUS



ANONYMOUS



Deny log on

as a batch job

Guests; Support_

388945a0; Guest

Guests; Support_

388945a0; Guest

Guests; Support_

388945a0; Guest

Deny log onTerminal Services

Built-in Adminis-trator; Guests;Support_388945a0;Guest; all NON-operating systemservice accounts



Enable computer anduser accounts to betrusted for delegation




Force shutdown froma remote system



Administrators

Generate securityaudits

Not Defined Not Defined NETWORKSERVICE,LOCAL SERVICE



Impersonate a clientafter authentication



Local Service; Network Service

Increase scheduling priority



Administrators

Load and unloaddevice drivers



Administrators

Lock pages inmemory



Administrators

Log on as a batch job




Manage auditingand security log



Administrators

Modify firmwareenvironment values



Administrators

Perform volumemaintenance tasks



Administrators

Profile single process



Administrators

Profile system performance



Administrators

Remove computerfrom docking station



Administrators

Replace a processlevel token



LOCALSERVICE, NETWORKSERVICE

Restore files anddirectories


Administrators Administrators

Shut down thesystem



Administrators

Synchronize directoryservice data




Take ownership offiles or other objects



Administrators






Configuration

Security Options

Accounts: Guestaccount status

Disabled Disabled Disabled

Accounts: Limitlocal account useof blank passwords

to console logon

Enabled Enabled Enabled

Audit: Audit theaccess of globalsystem objects


Audit: Audit the useof Backup andRestore privilege


Audit: Shut downsystem immediately

if unable to logsecurity audits

Disabled Disabled Enabled

Devices: Allowundock withouthaving to log on


Devices: Allowed toformat and ejectremovable media

Administrators Administrators Administrators

Devices: Prevent

users from installing printer drivers


Devices: RestrictCD-ROM access tolocally logged -- onuser only



Enabled



Devices: Restrictfloppy access tolocallylogged -- on user only



Enabled

Devices: Unsigneddriver installation behavior

Warn but allowinstallation



Domain controller:Allow serveroperatorsto schedule tasks


Domain controller:LDAP server signingrequirements



Require Signing

Domain controller:Refuse machineaccount passwordchanges


Domain member:Digitally encrypt orsign secure channeldata (always)

Disabled Enabled Enabled

Domain member:

Digitally encryptsecure channel data(when possible)


Domain member:Digitally sign securechannel data (when possible)


Domain member:Disable machineaccount password

changes


Domain member:Maximum machineaccount password age

30 days 30 days 30 days

Domain member:Require strong




(Windows 2000 orlater) session key

Interactive logon:Do not display lastuser name


Interactive logon:Do not requireCTRL+ALT+DEL


Interactive logon:Message text forusers attemptingto log on

This system isrestricted to autho-rized users. Indivi-duals attemptingunauthorized accesswill be prosecuted.

If unauthorized,terminate accessnow! Clicking onOK indicates youracceptance of theinformation inthe background.





Interactive logon:Message title forusers attempting to

log on

IT IS AN OFFENSETO CONTINUEWITHOUTPROPERAUTHORIZATION



Interactive logon: Number of previouslogons to cache (incase domaincontrolleris not available)

1 0 0

Interactive logon:Prompt user to

change password before expiration

14 days 14 days 14 days

Interactive logon:Require DomainController authenti-cation to unlockworkstation




Interactive logon:Smart card removal behavior


Lock Workstation Lock Workstation

Microsoft networkclient: Digitally signcommunications(always)


Microsoft networkclient: Digitally signcommunications(if server agrees)


Microsoft networkclient: Sendunencrypt-

ed password to third- party SMB servers


Microsoft networkserver: Amount ofidletime required beforesuspending session

15 minutes 15 minutes 15 minutes

Microsoft networkserver: Digitally signcommunications

(always)


Microsoft networkserver: Digitally signcommunications(if client agrees)


Microsoft networkserver: Disconnectclients when logonhours expire


Network access: Donot allow anonymousenumeration of SAMaccounts


Network access: Donot allow anonymousenumeration of SAM




accounts and shares

Network access: Donot allow storage ofcredentials or .NETPassports for networkauthentication


Network access: LetEveryone permissionsapply to anonymoususers


Network access: Named Pipes that can be accessedanonymously

None None None

Network access:Remotely accessibleregistry paths

System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion



Network access:

Remotelyaccessibleregistry pathsand sub-paths

System\CurrentControlSet\Control\Print\Printers



System\CurrentControlSet\Services\Eventlog




Software\Microsoft\OLAP Server





Software\Microsoft\ Software\Microsoft\ Software\Microsoft\



Windows NT\CurrentVersion\Print



Software\Microsoft\Windows NT\

CurrentVersion\Windows





System\CurrentControlSet\Control\ContentIndex



System\CurrentControlSet\Control\Terminal Server



System\CurrentControlSet\Control\Terminal Server\UserConfig



System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration



Software\Microsoft\Windows NT\CurrentVersion\Perflib



System\CurrentControlSet\Services\SysmonLog



Network access:

Restrict anonymousaccess to NamedPipes and Shares


Network access:Shares that can beaccessedanonymously

None None None



Network access:Sharing and securitymodel for localaccounts

Classic -- localusers authenticateas themselves



Network security:Do not store LANManager hash valueon next passwordchange


Network security:LAN Managerauthentication level

Send NTLMv2responses only

Send NTLMv2response only/refuse LM

Send NTLMv2response only/refuse LM and NTLM

Network security:

LDAP client signingrequirements

Negotiate signing Negotiate signing Negotiate signing

Network security:Minimum sessionsecurity for NTLMSSP based (includingsecure RPC) clients

No minimum Enabled all settings Enabled all settings

Network security:

Minimum sessionsecurity for NTLMSSP based (includingsecure RPC) servers

No minimum Enabled all settings Enabled all settings

Recovery console:Allow automaticadministrative logon


Recovery console:Allow floppy copy

and access to alldrivesand all folders

Enabled Enabled Disabled

Shutdown: Allowsystemto be shut down with-out having to log on




Shutdown: Clearvirtualmemory page file

Disabled Disabled Enabled

System cryptography:Force strong key pro-tection for user keysstored on thecomputer

User is promptedwhen the key isfirst used

User is promptedwhen the key isfirst used

User must enter a password each timethey use a key

System cryptography:Use FIPS compliantalgorithms forencryption, hashing,and signing


System objects:

Default owner forobjects created bymembers of theAdministrators group

Object creator Object creator Object creator

System objects:Require caseinsensitivity for non-Windows subsystems


System objects:Strengthen default

permissions ofinternalsystem objects (suchas Symbolic Links)


System settings:Optional subsystem

None None None




Configuration

Event Log

Maximum application 16,384 KB 16,384 KB 16,384 KB



log size

Maximum securitylog size

81,920 KB 81,920 KB 81,920 KB

Maximum system

log size 16,384 KB 16,384 KB 16,384 KB

Prevent local guestsgroup from accessingapplication log


Prevent local guestsgroup from accessingsecurity log


Prevent local guestsgroup from accessing

system log


Retention method forapplication log

As needed As needed As needed

Retention method forsecurity log


Retention method forsystem log





Configuration

System Services

Alerter Disabled Disabled Disabled

Application LayerGateway Service Disabled Disabled Disabled

ApplicationManagement


ASP.NET State Service Disabled Disabled Disabled

Automatic Updates Automatic Automatic Automatic



Background IntelligentTransfer Service

Manual Manual Manual

Certificate Services Disabled Disabled Disabled

MS Software Shadow

Copy Provider Manual Manual Manual

Client Service for Netware


ClipBook Disabled Disabled Disabled

Cluster Service Disabled Disabled Disabled

COM+ Event System Manual Manual Manual

COM+ System

Application


Computer Browser Automatic Automatic Automatic

CryptographicServices

Automatic Automatic Automatic

DHCP Client Automatic Automatic Automatic

DHCP Server Disabled Disabled Disabled

Distributed LinkTracking Client


Distributed LinkTracking Server


DistributionTransactionCoordinator


DNS Client Automatic Automatic Automatic

DNS Server Disabled Disabled Disabled

Error ReportingService Disabled Disabled Disabled

Event Log Automatic Automatic Automatic

Fax Service Disabled Disabled Disabled

File Replication Disabled Disabled Disabled



File Server forMacintosh


FTP Publishing Disabled Disabled Disabled

Help and Support Disabled Disabled Disabled

HTTP SSL Disabled Disabled Disabled

Human InterfaceDevice Access


IAS Jet DatabaseAccess


IIS Admin Service Disabled Disabled Disabled

IIS IMAPI CD-Burning

COM Service


Indexing Service Disabled Disabled Disabled

Infrared Monitor Disabled Disabled Disabled

Internet AuthenticationService


Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS)


Intersite Messaging Disabled Disabled Disabled

IP Version 6 HelperService


IPSec Policy Agent(IPSec Service)


Kerberos KeyDistribution Center


License LoggingService


Logical Disk Manager Manual Manual Manual

Logical Disk ManagerAdministrative Service


Message Queuing Disabled Disabled Disabled



Message QueuingDown Level Clients


Message QueuingTriggers


Messenger Disabled Disabled Disabled

Microsoft POP3 Service Disabled Disabled Disabled

MSSQL$UDDI Disabled Disabled Disabled

MSSQLServerADHelper Disabled Disabled Disabled

.NET FrameworkSupport Service


Netlogon Automatic Automatic Automatic

NetMeeting RemoteDesktop Sharing


Network Connections Manual Manual Manual

Network DDE Disabled Disabled Disabled

Network DDE DSDM Disabled Disabled Disabled

Network LocationAwareness (NLA)


Nework News TransportProtocol (NNTP)


NTLM SupportProvider


Performance Logsand Alerts


Plug and Play Automatic Automatic Automatic

Portable Media

Serial NumberDisabled Disabled Disabled

Printer Server forMacintosh


Print Spooler Disabled Disabled Disabled

Protected Storage Automatic Automatic Automatic



Remote Access AutoConnection Manager


Remote AccessConnection Manager


Remote AdministrationService


Remote Desktop HelperSession Manager


Remote Installation Disabled Disabled Disabled

Remote ProcedureCall (RPC)


Remote Procedure

Call (RPC) LocatorDisabled Disabled Disabled

Remote Registry Service Automatic Automatic Automatic

Remote ServerManager


Remote ServerMonitor


Remote Storage Notification


Remote Storage Server Disabled Disabled Disabled

Removable Storage Manual Manual Manual

Resultant Set of PolicyProvider


Routing and RemoteAccess


SAP Agent Disabled Disabled Disabled

Secondary Logon Disabled Disabled Disabled

Security AccountsManager


Server Automatic Automatic Automatic

Shell HardwareDetection




Simple Mail TransportProtocol (SMTP)


Simple TCP/IP Services Disabled Disabled Disabled

Single InstanceStorage Groveler Disabled Disabled Disabled

Smart Card Disabled Disabled Disabled

SNMP Service Disabled Disabled Disabled

SNMP Trap Service Disabled Disabled Disabled

Special AdministrationConsole Helper


System Event

Notification Automatic Automatic Automatic

Task Scheduler Disabled Disabled Disabled

TCP/IP NetBIOSHelper Service


TCP/IP Print Server Disabled Disabled Disabled

Telephony Disabled Disabled Disabled

Telnet Disabled Disabled Disabled

Terminal Services Automatic Automatic Automatic

Terminal ServicesLicensing


Terminal ServicesSession Directory


Themes Disabled Disabled Disabled

Trival FTP Daemon Disabled Disabled Disabled

UninterruptiblePower Supply Disabled Disabled Disabled

Upload Manager Disabled Disabled Disabled

Virtual Disk Service Disabled Disabled Disabled

Volume Shadow Copy Manual Manual Manual



WebClent Disabled Disabled Disabled

Web Element Manager Disabled Disabled Disabled

Windows Audio Disabled Disabled Disabled

Windows ImageAcquisition (WIA)


Windows Installer Automatic Automatic Automatic

Windows Internet Name Service (WINS)


Windows ManagementInstrumentation


Windows Management

Instrumentation DriverExtensions Manual Manual Manual

Windows MediaServices


Windows SystemResource Manager


Windows Time Automatic Automatic Automatic

WinHTTP Web ProxyAuto-DiscoveryService


Wireless Configuration Disabled Disabled Disabled

WMI PerformanceAdapter


Workstation Automatic Automatic Automatic

World Wide PublishingService


Ports required for member servers

For a member server to function on the network with other computers, specific ports must beopened. Table 5-8 presents a list of those critical ports. As we investigate specific server roles,additional ports will need to be added to ensure the server functions properly.

Table 5-8 Ports for member servers



Port Description

137 (NetBIOS nameservice)

Used by the browse master service. This must be openfor WINS and browse master servers.

138 (NetBIOS datagramservice)

Must be open to accept inbound datagrams from NetBIOSapplications such as the Messenger service or theComputer Browser service.

139 (NetBIOS sessionservice)

Must be closed unless you run applications or operatingsystems that need to support Windows networking (SMB)connections. If you run Windows NT 4.0, WindowsMillennium Edition, Windows 98, or Windows 95, this port must be open on your servers.

445 (CIFS/SMB server)Used by basic Windows networking, including file sharing, printer sharing, and remote administration.

3389 (Remote DesktopProtocol)

Must be open if you are using Terminal Services for appli-cation sharing, remote desktop, or remote assistance.

Domain controllers Return to Table of

Contents

Domain controllers are the heart of any environment that runs Active Directory. Thesecomputers must be stable, protected, and available to provide the key services for the directoryservice, user authentication, resource access, and more. If there is any loss or compromise of adomain controller in the environment, the result can be disastrous for clients, servers, andapplications that rely on domain controllers for authentication, Group Policy, and the LDAPdirectory.

Not only should these domain controllers be hardened with security configurations, they mustalso be physically secured in locations that are accessible only to qualified administrative staff. Ifdomain controllers are stored in unsecured locations due to limitations of the facility (such as in a branch office), you should apply additional security configurations to limit the potential damagefrom physical threats against the computer.

Domain controller security environment levels

http://searchwindowsserver.techtarget.com/feature/Server-hardening#goTOC







Along the same lines as the Member Server hardening guidelines, domain controllers also havedifferent levels of security based on the environment in which they are deployed. These levelsare the same as those defined in the "Member Servers" section in this chapter: Legacy Client,Enterprise Client, and High Security.

Security settings for domain controllers

Security settings that apply specifically to domain controllers are best created in a GPO that isthen linked to the Domain Controllers OU. The settings for domain controllers should be basedon those we reviewed in the earlier "Member Servers" section. Of course, a domain controlleralso has additional functions or features compared to a member server, and this requiresadditional open ports and security configuration. You must review the security settings list toensure that you are not restricting a key feature for your domain controller.

Table 5-9 lists the settings that differ from those specified in Table 5-7. In other words, the baseline security settings for domain controllers as outlined below should be incrementally added

to the baseline security settings for member servers described previously.

MORE INFO For more information on hardening domain controllers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.

Table 5-9 Security settings for domain controllers




Configuration

User Rights

Access this

computer fromthe network



Administrators,AuthenticatedUsers,ENTERPRISEDOMAINCONTROLLERS

Add workstationsto domain


Allow log on locally Administrators Administrators Administrators







Allow log on throughTerminal Services


Change thesystem time


Enable computerand user accountsto be trusted fordelegation



Administrators

Load and unloaddevice drivers


Restore files anddirectories


Shutdown thesystem Administrators Administrators Administrators




Configuration

Security Options Network security:Do not store LANManager hash valueon next passwordchange





Configuration

System Services

Distributed FileSystem




DNS Server Automatic Automatic Automatic

File Replication Automatic Automatic Automatic

Intersite Messaging Automatic Automatic Automatic

Kerberos KeyDistribution Center


Remote ProcedureCall (RPC) Locator


Ports required for domain controllers

Domain controllers are responsible for specific functions, as seen in the different settings listedin Table 5-9. Many of these different security template settings are due to required services to

authenticate users and maintain consistency of the Active Directory database between otherdomain controllers. Table 5-10 lists additional ports that you must open for domain controllers.

Table 5-10 Ports for domain controllers

Port Description

88 (Kerberos)The Kerberos protocol is used by Windows 2000 and lateroperating systems to log on and retrieve tickets for accessingother servers.

123 (NTP) This port provides time synchronization for network clientsusing the Network Time Protocol (NTP).

135 (RPC endpointmapper/DCOM)

This port allows RPC clients to discover the ports that the RPCserver is listening on.

389 (LDAP)This port the primary way that clients access Active Directoryto obtain user information, e-mail addresses, services, andother directory service information.

464 (KerberosPassword Changes)

This port provides secure methods for users to change passwords using Kerberos.

636 (LDAP over SSL)This port is needed if LDAP will use SSL to provideencryptionand mutual authentication for LDAP traffic.

3268 (Global Catalog)This port provides the means for clients to search ActiveDirectory information that spans multiple domains.

3269 (Global Catalog This port is needed because the Global Catalog uses SSL to



over SSL) provide encryption and mutual authentication for GlobalCatalog traffic.

NOTE If your domain controller is running DNS, you will need to also open port 53.

File and print servers

File and print servers are responsible for resource storage and controlling access to theseresources throughout the enterprise. These servers house the company's documents, trade secrets,financial data, and much more. If these computers are not protected, the entire company might bein jeopardy. These computers must be stable, protected, and available to provide users andapplications access to resources stored on these computers.

Like the domain controllers, these servers must be physically protected. If someone were to gethold of a file server, they could potentially use other tools to gain access to the resources on theserver. You should take action to protect against this.

Table 5-11 lists security settings for file and print servers that differ from the settings in theMember Servers section earlier in the chapter. In other words, the baseline security settings forfile and print servers as outlined here should be incrementally added to the baseline securitysettings for member servers described previously. These settings are best created in a GPO that isthen linked to the OU that contains the file servers.

MORE INFO For more information on hardening file and print servers in different

enterprise environments, see the Windows Server 2003 Security Guide.

Table 5-11 Security settings for file and print servers




Configuration







Security Options

Microsoft networkserver:Digitally signcommuni-cations (always)

Disabled (PrintServers only)






Configuration

System Services

Distributed FileSystem


File Replication Disabled Disabled Disabled

Print SpoolerAutomatic (PrintServers only)

Automatic (PrintServers only)

Automatic (PrintServers only)

Web servers

Microsoft Internet Information Services (IIS) is the service that provides Web services on aWindows server. Web servers must be properly secured from malicious attackers, while stillallowing legitimate clients to access intranet or public Web sites hosted on the server.

IIS is not installed by default on the Windows Server 2003 family of servers, and when you doinstall IIS, it installs in "locked" mode -- a highly secure mode that protects IIS against threats.Beyond the best-practice security settings presented in this section for IIS, be sure to protect yourWeb servers by monitoring security using some form of intrusion detection system, and by

implementing proper incident response procedures.

Security settings for Web servers

Security settings for Web servers are best created in a GPO that is then linked to the OU thatcontains the Web servers. Table 5-12 lists only the settings that differ from those in the Table 5-7. In other words, the baseline security settings for Web servers as outlined here should beincrementally added to the baseline security settings for member servers described previously.



MORE INFO For more information on hardening Web servers in different enterpriseenvironments, see the Windows Server 2003 Security Guide.

Table 5-12 Security settings for Web servers




Configuration

User Rights

Deny access tothis computerfrom the network

ANONYMOUSLOGON; Built-in Administrator;Support_388945a0;Guest; all NON-Operating Systemservice accounts



System Services

HTTP SSL Automatic Automatic Automatic

IIS Admin Service Automatic Automatic Automatic

World Wide WebPublishing Service


Ports required for Web servers

Web servers should have limited ports available, to reduce their exposure to attacks from thelocal network and the Internet. The fewer the ports that are open, the better. Table 5-13 is a list ofadditional ports that you will need to open for Web servers.

Table 5-13 Ports for Web servers

Ports Description

80 (HTTP)

The standard HTTP port for providing Web services to users. Thiscan be easily changed and is not required. If you do change the portfor HTTP, be sure to add that new port to this list and configurethat







setting within IIS.

443 (HTTPS)Allows HTTP to have a higher level of security that providesintegrity,encryption, and authentication for Web traffic.

Hardening Server Window

Documents

Transcript of Hardening Server Window